Privacy and Cookies

1. Introduction

We are Vintage Roots Limited. You can find further details about us and how to contact us in sections 15 and 16. This notice explains how we handle personal data about our website visitors and customers. For the purposes of EU data protection law, we are the ‘controller’ of this personal data. In this notice, "we", "us" and "our" refer to Vintage Roots Limited.

2. How we use your personal data

In this section 2 we have set out:

the general categories of personal data that we may process

in the case of personal data that we did not obtain directly from you, the source and specific categories of that data

the purposes for which we may process that personal data

the legal bases for that processing

2.1. Data we automatically collect when you visit and use our website: We may process data about your use of our website ("usage data"). The usage data may include your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your use. The source of the usage data is our analytics tracking system.Where this involves the use of cookies, we will ask you to consent to our use of any cookies that are not strictly necessary for the provision of our website. This usage data may be processed for the purposes of analysing the use of the website. The legal basis for this processing is our legitimate interests, namely monitoring and improving our website.We do not use analytics tracking to profile website visitors or serve targeted advertising. More information about our use of cookies in the processing of usage data is set out below in the sections about cookies.

2.2. Data you provide when setting up and using an account with us: We may process personal data you provide in order to set up an account with us to purchase our productsthrough our website ("account data"). The account data may include your name, email address, delivery and billing address and phone number.If you place an order for our products using your account, we will process your account data for the purposes of supplying the purchased products to you. The legal basis for this processing is that it is necessary for the performance of the contract between you and us for the supply of the products you have ordered. We will also keep records of our transactions with you, including information provided by the payment services providers we use (see section 2.5 for further information on use of your card payment data). The legal bases for this processing are our legitimate interests in the proper administration of our business and accounts and compliance with legal obligations that require businesses to retain certain records of transactions with customers. We will also store your account data so that you can use your account to place further orders for our products in the future using the data you have already provided and amend those data whenever you choose. The legal basis for this is our legitimate interests in providing customers with an easy way to place orders for our products on an ongoing basis and update/amend relevant data.We may also use your email address to send you an email if you have items in your basket but do not complete your order. This will involve combining your account data with usage data obtained via our analytics system (see section 2.1 for further information about usage data). The legal basis for this is our legitimate interests in maximising sales and providing customers with relevant information about their orders.

2.3. Data you provide when buying our products as a guest:We may process personal data you provide when you place an order for our products as a guest (i.e. without creating an account) ("order data"). The order data may include your name, email address, delivery and billing address and phone number. We will process your order data for the purposes of supplying the purchased products to you. The legal basis for this processing is that it is necessary for the performance of the contract between you and us for the supply of the products you have ordered. We will also keep records of our transactions with you, including information provided by the payment services providers we use (see section 2.5 for further information on use of your card payment data). The legal bases for this processing are our legitimate interests in the proper administration of our business and accounts and compliance with legal obligations that require businesses to retain certain records of transactions with customers.

2.4. Data you provide when buying our products as a trade customer: If you are a trade customer we will process any personal data you provide when you place an order for our products by phone or email ("trade customer order data"). The order data may include your name and business name, email address, delivery and billing address and phone number. We will process your order data for the purposes of supplying the purchased products to you. The legal basis for this processing is that it is necessary for the performance of the contract between you and us for the supply of the products you have ordered. We will also keep records of our transactions with you, including information provided by the payment services providers we use (see section 2.5 for further information on use of your card payment data). The legal bases for this processing are our legitimate interests in the proper administration of our business and accounts and compliance with legal obligations that require businesses to retain certain records of transactions with customers.

2.5. Card payment data: If you select to pay for our products online via our website using PayPal or WorldPay, the payment service provider you select will process your card details and other data you provide to them as part of the payment process ("card payment data"). If you select to pay for our products by card by phoning us, we will input your card payment data into a payment terminal provided by Worldpay, and WorldPay will then process the data for the purpose of processing the payment. Please note that these providers’ processing of your personal data will be subject to the relevant provider’s privacy policy, not ours.We will not receive your full card details when you use PayPal or WorldPay online via our website. These providers will send us certain limited data relating to your payment transaction to confirm that the payment has been processed, in accordance with their practices as set out in their privacy policies and service terms.Your full card details are not included in the confirmation sent to us by the payment services providers. We will use this confirmation for the purposes of fulfilling your order, the legal basis for this being performance of the contract between you and us for the supply of the products you have ordered. We will also keep the confirmation information provided by the payment services providers as part of the records of our transactions with you. The legal bases for this processing are our legitimate interests in the proper administration of our business and accounts and compliance with legal obligations that require businesses to retain certain records of transactions with customers.

2.6. Data we collect when you request a trade catalogue: If you are a trade customer and use our online trade catalogue request form or email or call us to request a trade catalogue, we will use the information collected in that form, email or phone call for the following purposes:

Your name and the business name and address will be used to send you a copy of our current trade catalogue. We will also keep these details in order to provide you with updated copies of our trade catalogue from time to time.

We will use any telephone numbers you provide to call you if you have indicated that you want us to contact you by phone. You do not have to provide a telephone number.

We will use your email address to email you if you have indicated that you want us to contact you by email. You do not have to provide an email address.

Your business type and alcohol licence information will be used to tailor the product offering to suit your businesswhen responding to your enquiry or for the purposes of our marketing activities in the circumstances described in sections2.8 and 2.9 .

The legal basis for this processing is our legitimate interests in growing and maintaining our business by promoting sales of our products and responding to customer enquiries.

2.7. Data we collect when you request a brochure: If you are an individual customer and use our online brochure request form or email or call us to request a trade catalogue, we will use the information collected in that form,email or phone call for the following purposes:

If you have indicated that you want to receive a brochure by post, your name and address details will be used to send you a copy of our current brochure. We will also keep these details in order to provide you with updated copies of our brochure from time to time.You can object to receiving these at any time – see information on 'Opting out of marketing' in section 2.8 .

If you have indicated that you want to receive an e-brochure by email, your name and email address will be used to send you a copy of our current e-brochure. We will also keep these details in order to provide you with updated copies of our e-brochure from time to time.You can object to receiving these at any time – see information on 'Opting out of marketing' in section 2.8

The legal basis for this processing is our legitimate interests in growing and maintaining our business by promoting sales of our products.

2.8. Using your personal data for marketing purposes: We may use your name and email address to send you newsletters and information about our products, promotions and offers in the following circumstances:

If you choose to receive such newsletters and information using any of the subscribe options made available via our website (such as on your account dashboard, at the time of placing an order for our products as a guest, at the bottom of all our website pages, when you request a free brochure or trade catalogueor provide us with an email address in order to receive a coupon in connection with a special offer or take part in a competition);

If you have asked to be added to our email marketing list over the phone or in person, such as when visiting our office or at trade fairs;

If you purchase products from us.

We may use your postal address to send you newsletters and information about our products, promotions and offers in the following circumstances:

If you have asked to be added to our postal marketing list over the phone or in person, such as when visiting our office or at trade fairs;

If you purchase products from us.

The legal basis for this processing is our legitimate interests in growing and maintaining our business by promoting sales of our products.

Opting out of marketing

You can object to receiving our email marketing at any time by:

Clicking on the ‘unsubscribe’ link provided in all such emails;

Changing your email marketing preferences on your account dashboard;

Contacting us using any of the contact details shown on our website.

If you object to receiving our email marketing, we will not send you marketing by email, unless you later tell us that you would like to receive it.

You can object to receiving our postal marketing at any time by:

Emailing us using the email address stated on the posted marketing materials;

Contacting us using the telephone number stated on the posted marketing materials;

Contacting us using any of the contact details shown on our website.

If you object to receiving our postal marketing, we will not send you marketing by post, unless you later tell us that you would like to receive it.

2.9. Using personal data to conduct unsolicited marketing: We may obtain business telephone contact details for potential trade customers and use these for the purposes of conducting direct marketing by phone. The sources of the personal data are publicly available sources such as the relevant business’s website, wine trade publications, local/regional publications and trade directories and third party lead generation companies.We will not call anybody who has told us they do not want us to call them. The legal basis for this processing is our legitimate interests in growing and maintaining our business by promoting sales of our products. You can object to receiving marketing calls by telling us during the call or at any other time by contacting us using any of the contact details shown on our website.

2.10. Data we collect when you communicate with us: We may process information contained in or relating to any communication you send to us and any contact details you provide in relation to that communication, whether by phone, post, email or using our online contact form ("correspondence data"). If you communicate with us by email or using our online contact form, the correspondence data may include the communication content and metadata associated with the communication. If you use our online contact form, our website will generate the metadata. We will process yourcorrespondence data for the purposes of communicating with you in relation to your request or enquiry and for record keeping. The legal basis for this processing is our legitimate interests in fostering relations with, and promoting our business and products to, customers and potential customers, the proper administration of our website and business and communications with customers/potential customers/website users.

2.11. Data we use to provide service communications:We may use your name and any contact details you have given to us to provide you with service information such as information about ordering deadlines, stock availability, delivery schedules/times, holiday opening times and warehouse closures. The legal basis for this processing is our legitimate interests, namely maintaining relations with, and providing potentially useful or important information about product availability and supply to, our customers and people who have expressed an interest in our products.

2.12. Credit data: If you are a trade customer and apply for a credit account with us, we will process any personal data you provide as part of your application for a credit account (whether provided in writing or orally) along with information from other sourcesfor the purpose of considering your application. We may use credit reference agencies to check your or your business’s credit status and rating as part of our consideration of your application and obtain relevant information from any referees you have provided in your application and from Companies House. Where credit data we obtain about you is not provided by you directly, the source of such data will be the credit reference agency we use (currently CreditSafe), your referees and/or Companies House. The legal basis for this processing is our legitimate interests, namelycarrying out due diligence on credit account applicants in order to protect our business against the potential risk of non-payments.

2.13. Using personal data in relation to legal claims. We may process any of your personal data identified in this policy where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. The legal basis for this processing is legitimate interests, namely the protection and assertion of our legal rights, your legal rights and the legal rights of others.

2.14. Using personal data for risk management and professional advice purposes. We may process any of your personal data identified in this policy where necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, or obtaining professional advice. The legal basis for this processing is our legitimate interests, namely the proper protection of our business against risks.

2.15. Other purposes for processing personal data. In addition to the specific purposes for which we may process your personal data set out in this Section 2, we may also process any of your personal data where such processing is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

2.16. Other people’s personal data: Please do not supply any other person's personal data to us, unless we prompt you to do so.

3. Providing your personal data to others

3.1. Suppliers and subcontractors: We may disclose certain personal data to the categories of suppliers or subcontractors identified below as reasonably necessary for the purposes set out below:

IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of use

Analysing use of the website

Website security

Usage data about our website users such as IP addresses, system configuration information and other information about traffic to and from our website

3.2. Payment services providers: Where you pay for our goods using our payment services providers, PayPal or WorldPay, we will share data relating to your transaction with those payment services providers only to the extent necessary for the purposes of processing your payments, refunding such payments and dealing with complaints and queries relating to such payments and refunds.

3.3. Other disclosures: In addition to the specific disclosures of personal data set out in this Section 3, we may disclose your personal data where such disclosure is necessary:

for compliance with a legal obligation to which we are subject;

in order to protect your vital interests or the vital interests of another natural person;

for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure;

for the purposes of obtaining or maintaining insurance coverage, managing risks, or obtaining professional advice.

4. International transfers of your personal data

4.1. In this Section 4, we provide information about the circumstances in which your personal data may be transferred to countries outside the European Economic Area (EEA).

5.1. This Section 5 sets out our data retention practices, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal data.

5.2. We will not retain personal data for longer than is necessary for the purposes we process it for.

5.3. It is not always possible for us to state a pre-determined period for storing different types of personal data, however, we apply the following criteria to determine storage periods:

Usage data: we store usage data for as long as we consider it useful, but in a form that does not enable the identification of individuals.

Account data:this will be stored until you ask us to delete the data or terminate the account.

Order data, trade customer order data and card payment data forming part of our transaction records: we will store this for as long as necessary for the proper administration of our business and accounts, to comply with legal obligations that require businesses to retain certain records of transactions with customers and for the establishment, exercise or defence of legal claims in connection with the transactions or the products purchased under those transactions.

Credit data: reports produced by our credit references agency are made available to us online and the retention period is determined by the credit reference agency. We retain hard copy credit application forms whilst the credit accounts are live and securely destroy them once the accounts are no longer live.

Data used for marketing (including sending brochures and catalogues) and sending service information: we will keep this for as long as we have a legitimate interest in marketing to you or sending you service information. If you object to marketing, we will no longer use the data to send you marketing but will keep your details on a suppression list to ensure that you are not sent any further marketing.

Correspondence data: we will keep this information for as long as necessary to respond to your enquiry, although emails will be stored and deleted according to our standard email archive and deletion procedures and communications metadata will be stored and deleted according to the archive and deletion procedures applicable to our underlying IT systems.

5.4. Notwithstanding the other provisions of this Section 5, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, for the establishment, exercise or defence of legal claims or in order to protect your vital interests or the vital interests of another natural person.

6.2. You acknowledge that the transmission of unencrypted (or inadequately encrypted) data over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet.

6.3. You should ensure that any password you use to create an account with us is not susceptible to being guessed, whether by a person or a computer program. You are responsible for keeping the password confidential and we will not ask you for your password (except when you log in to your account).

7. Amendments

We may update this policy from time to time by publishing a new version on our website.We may notify you of changes to this policy by email or other appropriate means of communication.

8. Your rights

8.1. In this Section 8, we have summarised the rights that you have under data protection law that can be exercised against organisations that process your personal data. Some of the rights are complex, and not all of the details have been included in our summaries. Accordingly, you should read the relevant laws and guidance from the supervisory authorities for a full explanation of these rights.

8.2. Your principal rights under data protection law are the rights to:

access

rectification

erasure

restrict processing

object to processing

data portability

complain to a supervisory authority

withdraw consent

8.3. Access: You have the right to confirmation as to whether or not we process your personal data and, where we do, access to the personal data, together with certain additional information. That additional information includes details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal data. Providing that the rights and freedoms of others are not affected, we will supply to you a copy of your personal data. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee.

8.4. Rectification: You have the right to have any inaccurate personal data about you rectified and, taking into account the purposes of the processing, to have any incomplete personal data about you completed. Where you have created an account with us, you can rectify some of your personal data yourself via the account dashboard.

8.5. Erasure: In some circumstances you have the right to the erasure of your personal data without undue delay. Those circumstances include: the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; you withdraw consent to consent-based processing; you object to the processing as set out in the 'Object' section below; the processing is for direct marketing purposes; the personal data have been unlawfully processed. However, there are exclusions of the right to erasure. The general exclusions include where processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation or for the establishment, exercise or defence of legal claims.

8.6. Restriction: In some circumstances you have the right to restrict the processing of your personal data. Those circumstances are: you contest the accuracy of the personal data; processing is unlawful but you oppose erasure; we no longer need the personal data for the purposes of our processing, but you require personal data for the establishment, exercise or defence of legal claims; and you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your personal data. However, we will only otherwise process it: with your consent; for the establishment, exercise or defence of legal claims; for the protection of the rights of another natural or legal person; or for reasons of important public interest.

8.7. Object: You have the right to object to our processing of your personal data on grounds relating to your particular situation, but only to the extent that the legal basis for the processing is that it is necessary for: the performance of a task carried out in the public interest or in the exercise of any official authority vested in us; or the purposes of the legitimate interests pursued by us or by a third party. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.

8.8. Object to processing for direct marketing purposes: You have the right to object to our processing of your personal data for direct marketing purposes (including profiling for direct marketing purposes). If you make such an objection, we will cease to process your personal data for this purpose.

8.9. Object to processing for research purposes:You have the right to object to our processing of your personal data for scientific or historical research purposes or statistical purposes on grounds relating to your particular situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

8.10. Data portability: To the extent that the legal basis for our processing of your personal data is either consent orthat the processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract,and such processing is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.

8.11. Complain to a supervisory authority: If you consider that our processing of your personal data infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.

8.12. Withdraw consent: To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.

8.13. How to exercise these rights: You may exercise any of your rights in relation to your personal data that require any action by us by:

8.14. How to complain to a supervisory authority: To make a complaint to a supervisory authority, you may contact the supervisory authority of your choice using contact details made available by that supervisory authority. Relevant contact details for the UK supervisory authority, the ICO, can be found here: https://ico.org.uk/concerns/.

9. Third party websites

Our website may include hyperlinks to, and details of, third party websites. Please note that we have no control over, and are not responsible for, the privacy policies and practices of the third parties that operate such sites. This includes when you make use of any social media plug-ins on our website.

10. Personal data of children

Our website and products are targeted at persons over the age of 18, and we do not intend to process personal data of persons under that age.

11. Updating your personal data

If you have an account with us, you can correct or update much of your personal data that we hold using your account dashboard. You can also let us know if the personal data that we hold about you needs to be corrected or updatedby emailing your request to info@vintageroots.co.uk or calling us on 01189 326566 .

12. Cookies

12.1. A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.

12.2. Cookies may be either "persistent" cookies or "session" cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.

12.3. Cookies do not typically contain any information that personally identifies a user, but personal data that we store about you may be linked to the information stored in and obtained from cookies.

13. Cookies that we use

13.1. We use cookies for the following purposes:

Cookie type

Purpose

Cookie

Expiry

authentication

to identify you when you visit our website and as you navigate our website

_cfduid JSESSIONID PHPSESSID

1 year Session Session

shopping cart

to maintain the state of your shopping cart as you navigate our website and enable you to view, compare and rememberproducts

to protect user accounts, including preventing fraudulent use of login credentials, and to protect our website and services generally

Machine private_content_version

Session 10 years

advertising

to help us to display advertisements that will be relevant to you

fr r/collect tr _smSessionId _smToken _smVID

3 months Session Session Session 1 year 29 days

website performance monitoring

to monitor website availability and track page load times and other performance aspects of the site and receive notifications if our website is down

img/beacon.gif pa-I pa-l_enabled

Session Persistent persistent

Google Analytics

to analyse the use of our website. Google Analytics gathers information about website use by means of cookies. The information gathered relating to our website is used to create reports about the use of our website. Google's privacy policy is available at: https://www.google.com/policies/privacy/

14.1. Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can however obtain up-to-date information about blocking and deleting cookies via these links:

14.2. Blocking all cookies will have a negative impact upon the usability of many websites.

14.3. If you block cookies, you will not be able to use all the features on our website.

15. Our details

15.1. This website is owned and operated by Vintage Roots Limited.

15.2. We are a private limited company registered in England and Wales under registration number 03262957, and our registered office is at Barttelot Court, Barttelot Road, Horsham, West Sussex, RH12 1DQ.